Analysis
-
max time kernel
134s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
12/07/2023, 18:46
General
-
Target
2b2d4fcde79ec18965ade78318c38c4c.exe
-
Size
3.5MB
-
MD5
2b2d4fcde79ec18965ade78318c38c4c
-
SHA1
6117aa4ee5f83046ba23398deeeb892b1bb22bab
-
SHA256
e297203dfba8fae21f135b84577e5ca2bab763ce31dd4870a6675ce4bf4b4438
-
SHA512
bb3d45a350c1c8a7ad79251872d2d163249c65b3953d2031f817322972915d75c5a839599ad0a37251bee5346ab1ff3fdfde47b341255c02f0c9f51c3b0325b8
-
SSDEEP
98304:vJGVP6249vx6nXmtxhwv1CT86mtaxOl7uss/31N3H:vUVoVxQX2xh2088xMk/lh
Malware Config
Extracted
orcus
Новый тег
128.59.46.185:20954
sudo_t5h71vhdjlc15uv100unb79v0m48rb0o
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%appdata%\securepipeasync\lineline.exe
-
reconnect_delay
10000
-
registry_keyname
Sudik
-
taskscheduler_taskname
sudik
-
watchdog_path
AppData\aga.exe
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus main payload 8 IoCs
-
DCRat payload 6 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Orcurs Rat Executable 9 IoCs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b2d4fcde79ec18965ade78318c38c4c.exe"C:\Users\Admin\AppData\Local\Temp\2b2d4fcde79ec18965ade78318c38c4c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portFontruntimesvc\IFs7PxNlf0FukhYTS68xpV.vbe"3⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\portFontruntimesvc\MDelSg1gMf2sbupZ4DcoQydnq.bat" "4⤵
-
C:\portFontruntimesvc\hyperReview.exe"C:\portFontruntimesvc\hyperReview.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\lineline.exe"C:\Users\Admin\AppData\Local\Temp\lineline.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\securepipeasync\lineline.exe"C:\Users\Admin\AppData\Roaming\securepipeasync\lineline.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"4⤵
-
-
-
-
C:\Users\Admin\AppData\Roaming\securepipeasync\lineline.exeC:\Users\Admin\AppData\Roaming\securepipeasync\lineline.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\securepipeasync\lineline.exeC:\Users\Admin\AppData\Roaming\securepipeasync\lineline.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\securepipeasync\lineline.exeC:\Users\Admin\AppData\Roaming\securepipeasync\lineline.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59be3069b2cf9222dde6c28dd9180a35a
SHA114b76614ed5c94c513b10ada5bd642e888fc1231
SHA2565e4c38466764be178ea21ba3149d0580d25d035b57e081b3abb9c06a19cfd67a
SHA512043256f38c20d8765ddf2f1d5912249bfbb017c0b630d24d9e4894f4a759dec66bf0ffaf878ac69e9dfd6db7ec5e090dd69de2333d83299ef43888c394398885
-
Filesize
940KB
MD535358d4b383f19ddbfff815b641a86f4
SHA16be51752e0192aeb013c095fc58fd974ad9f8071
SHA256f6ff85c92c4d439d812ac91063809398fdaf93367df696c09a80c6779f5e3ad8
SHA51277c1e20631b472c1edcd653d9e4ad2f3ffa217b38b1a5c297fcbdda33a39011480491b7f813e6fa8677f6e3d3f7ef2b424f236814ad5c169c4ca80d7bc7113a7
-
Filesize
940KB
MD535358d4b383f19ddbfff815b641a86f4
SHA16be51752e0192aeb013c095fc58fd974ad9f8071
SHA256f6ff85c92c4d439d812ac91063809398fdaf93367df696c09a80c6779f5e3ad8
SHA51277c1e20631b472c1edcd653d9e4ad2f3ffa217b38b1a5c297fcbdda33a39011480491b7f813e6fa8677f6e3d3f7ef2b424f236814ad5c169c4ca80d7bc7113a7
-
Filesize
940KB
MD535358d4b383f19ddbfff815b641a86f4
SHA16be51752e0192aeb013c095fc58fd974ad9f8071
SHA256f6ff85c92c4d439d812ac91063809398fdaf93367df696c09a80c6779f5e3ad8
SHA51277c1e20631b472c1edcd653d9e4ad2f3ffa217b38b1a5c297fcbdda33a39011480491b7f813e6fa8677f6e3d3f7ef2b424f236814ad5c169c4ca80d7bc7113a7
-
Filesize
3.1MB
MD5c947802e4ff7646d3dcfa28fa3a9f47b
SHA17d2b692d73ec80ab9c32480bf0a728438cc2862f
SHA256d2a76383575f395bb84b0df4a5a00da8882bfe6f4f0efee14abf6831ff35631b
SHA512bc86c4261a19db626d92785a91fa17fc6dcab6b84c729b19ca95827133dd81636f0ab9ec24dc824c31b207d6b42ebfd81383c0c9112c1672aa50a1f3cfa78593
-
Filesize
3.1MB
MD5c947802e4ff7646d3dcfa28fa3a9f47b
SHA17d2b692d73ec80ab9c32480bf0a728438cc2862f
SHA256d2a76383575f395bb84b0df4a5a00da8882bfe6f4f0efee14abf6831ff35631b
SHA512bc86c4261a19db626d92785a91fa17fc6dcab6b84c729b19ca95827133dd81636f0ab9ec24dc824c31b207d6b42ebfd81383c0c9112c1672aa50a1f3cfa78593
-
Filesize
3.1MB
MD5c947802e4ff7646d3dcfa28fa3a9f47b
SHA17d2b692d73ec80ab9c32480bf0a728438cc2862f
SHA256d2a76383575f395bb84b0df4a5a00da8882bfe6f4f0efee14abf6831ff35631b
SHA512bc86c4261a19db626d92785a91fa17fc6dcab6b84c729b19ca95827133dd81636f0ab9ec24dc824c31b207d6b42ebfd81383c0c9112c1672aa50a1f3cfa78593
-
Filesize
3.1MB
MD5c947802e4ff7646d3dcfa28fa3a9f47b
SHA17d2b692d73ec80ab9c32480bf0a728438cc2862f
SHA256d2a76383575f395bb84b0df4a5a00da8882bfe6f4f0efee14abf6831ff35631b
SHA512bc86c4261a19db626d92785a91fa17fc6dcab6b84c729b19ca95827133dd81636f0ab9ec24dc824c31b207d6b42ebfd81383c0c9112c1672aa50a1f3cfa78593
-
Filesize
3.1MB
MD5c947802e4ff7646d3dcfa28fa3a9f47b
SHA17d2b692d73ec80ab9c32480bf0a728438cc2862f
SHA256d2a76383575f395bb84b0df4a5a00da8882bfe6f4f0efee14abf6831ff35631b
SHA512bc86c4261a19db626d92785a91fa17fc6dcab6b84c729b19ca95827133dd81636f0ab9ec24dc824c31b207d6b42ebfd81383c0c9112c1672aa50a1f3cfa78593
-
Filesize
3.1MB
MD5c947802e4ff7646d3dcfa28fa3a9f47b
SHA17d2b692d73ec80ab9c32480bf0a728438cc2862f
SHA256d2a76383575f395bb84b0df4a5a00da8882bfe6f4f0efee14abf6831ff35631b
SHA512bc86c4261a19db626d92785a91fa17fc6dcab6b84c729b19ca95827133dd81636f0ab9ec24dc824c31b207d6b42ebfd81383c0c9112c1672aa50a1f3cfa78593
-
Filesize
3.1MB
MD5c947802e4ff7646d3dcfa28fa3a9f47b
SHA17d2b692d73ec80ab9c32480bf0a728438cc2862f
SHA256d2a76383575f395bb84b0df4a5a00da8882bfe6f4f0efee14abf6831ff35631b
SHA512bc86c4261a19db626d92785a91fa17fc6dcab6b84c729b19ca95827133dd81636f0ab9ec24dc824c31b207d6b42ebfd81383c0c9112c1672aa50a1f3cfa78593
-
Filesize
3.1MB
MD5c947802e4ff7646d3dcfa28fa3a9f47b
SHA17d2b692d73ec80ab9c32480bf0a728438cc2862f
SHA256d2a76383575f395bb84b0df4a5a00da8882bfe6f4f0efee14abf6831ff35631b
SHA512bc86c4261a19db626d92785a91fa17fc6dcab6b84c729b19ca95827133dd81636f0ab9ec24dc824c31b207d6b42ebfd81383c0c9112c1672aa50a1f3cfa78593
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
220B
MD5696dd36e43dfabcb46c5d1a01d83e074
SHA1ccd0630199c3f2b8069df5d6c60143d4667f1bca
SHA2568b79645b9b1edfcca61d94bc484a34e97acd457c523ffdc6302f2c8d9f516890
SHA512f2f8234b5ad627c6cc9a67b9ed60fc752f0f871fe29835a7e67ecfd0925fa8c012b91345e6e2847cfff82c384a3c70e555ada6187ceecfc9383bbfa75e271ecf
-
Filesize
39B
MD58d2aa3c1f34c8d66ebe1fe33d1be720c
SHA16c2eee861d06a0f2213c879e55117ad49810060b
SHA256adfa34a0415a3b8a9eed4bb4bcdd7f8ef8c9619b2ed1cc7efd28dded503be2bf
SHA5129e3635bbd28459ae4aea66cab7f320b870d0aa9e70908f149e139c8d868f9bcc208be595b696b00096c90a6de039a53e757db8d55d7bdd381401577c45b3197c
-
Filesize
631KB
MD5fff99ff34acdaff6fc588d3d9464a6bf
SHA142d0449b6cfc9e670ef47fe88b0d564402faae85
SHA256e6577e298a5e589713417975f6dd31d24ae166244e7131a57d6a74c9e9645869
SHA51274d989e8a1f632074ccb07f200568ebcc9261464dfc60aa57d070c9fb5329bfd641b0d5bba3bfa2cdc7f7e119376535b16ed9ee7da6392617e1083747713e8aa
-
Filesize
631KB
MD5fff99ff34acdaff6fc588d3d9464a6bf
SHA142d0449b6cfc9e670ef47fe88b0d564402faae85
SHA256e6577e298a5e589713417975f6dd31d24ae166244e7131a57d6a74c9e9645869
SHA51274d989e8a1f632074ccb07f200568ebcc9261464dfc60aa57d070c9fb5329bfd641b0d5bba3bfa2cdc7f7e119376535b16ed9ee7da6392617e1083747713e8aa
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
64KB
-
Filesize
656KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
1.0MB
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.1MB
-
Filesize
64KB